b"\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Irving A. Williamson, Chairman\n                                        Shara L. Aranoff\n                                        Dean A. Pinkert\n                                        David S. Johanson\n                                        Meredith M. Broadbent\n                                        F. Scott Kieff\n\x0c     UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                 WASHINGTON, DC 20436\n\n\n\n\nNovember 12, 2013                                                           IG-LL-018\n\nChairman Williamson:\n\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report, Audit of the\nCommission\xe2\x80\x99s Patching Process, OIG-AR-14-02. This audit focused on whether the\nCommission\xe2\x80\x99s process for patching systems was effective.\n\nIn finalizing this report, we analyzed management\xe2\x80\x99s comments to our draft report and\nhave included those comments in their entirety as Appendix A. This audit determined that\nthe patching process was not effective and identified three problem areas.\n\nThis report presents seven recommendations to address the problem areas. In the next 30\ndays, please provide me with your management decisions describing the specific actions\nthat you will take to implement each recommendation.\n\nThank you for the courtesies extended to the auditors during this review.\n\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\x0c                                U.S. International Trade Commission\n                                                        Audit Report\n\n                                                   Table of Contents\n\nResults of Audit............................................................................................. 1\n\nProblem Areas............................................................................................... 3\n   Problem Area 1: The Commission Did Not Measure Half of its Hosts for Missing\n   Patches ............................................................................................................................ 3\n\n   Problem Area 2: The Commission Did Not Apply Patches in a Timely Manner ........ 4\n\n   Problem Area 3: The Risk from Missing Patches Was Not Effectively Reported ....... 6\n\nManagement Comments and Our Analysis ............................................... 7\n\nObjective, Scope and Methodology............................................................. 7\nAppendix A: Management Comments on Draft Report.......................... 1\n\nTables and Charts\n   Table 1: Scanning Results of Hosts ............................................................................... 2\n   Table 2: Average Age of Vulnerabilities ....................................................................... 2\n\n   Chart 1: Number of High Severity Vulnerabilities Classified by Days Since Patch\n   Release ........................................................................................................................... 5\n\n\n\n\n                                                                 -i-\n\x0c\x0c                      U.S. International Trade Commission\n                                      Audit Report\n\n\n                                  Results of Audit\nThe purpose of this audit was to answer the question:\n\n       Is the Commission\xe2\x80\x99s process for patching ITCNet systems effective?\n\nNo. The Commission\xe2\x80\x99s process for patching ITCNet systems was not effective.\n\nIn order to effectively patch its systems, the Commission\xe2\x80\x99s process should measure all of\nits systems for missing patches, rapidly apply missing patches, and inform executive\nmanagement with a complete and accurate status.\n\nSystems can include physical or virtual servers, laptops, desktops, tablets, printers,\nnetwork switches, and other types of devices. When they are connected to the\nCommission\xe2\x80\x99s network, each of these systems has at least one IP address, and each\ndetected IP address is referred to as a \xe2\x80\x9chost.\xe2\x80\x9d\n\nThe process was not effective because 49% of detected hosts were not evaluated for\nmissing patches, patches for High severity vulnerabilities were not applied in a timely\nmanner, and the risk from missing patches was not effectively reported.\n\nWhen software vendors identify problems with their applications or operating systems,\nthey create and release updates to the software to resolves these issues. These updates are\nknown as \xe2\x80\x98patches.\xe2\x80\x99 These patches are made available to the public, who install these\npatches to rectify the problems they are intended to solve. According to the CIO,\n145,005 patches were applied to Commission workstations between January and August\nthis year.\n\nThe majority of patches being released are designed to correct newly-identified security\nflaws. Systems without these patches are vulnerable to exploits from these security flaws,\nwhich could result in an intrusion by malicious individuals. Vulnerabilities defined as\nHigh severity identify those with the highest risk to the systems in question. Once a patch\nis released, the risk increases for systems that remain unpatched, because it has been\npublically announced that a flaw is present, and the software patch can be analyzed to\nprecisely identify the nature of the security flaw. Malicious parties use this information to\ncreate new exploits if they aren\xe2\x80\x99t already available.\n\nPatching systems is a primary means of securing systems and there are no effective\nsubstitutes for this basic security measure. In order to manage and reduce the risk to the\norganization, those responsible for managing its systems must continually track the\npatched status of those systems, and deploy patches as soon as they are made available. If\nsystems are allowed to remain unpatched, the ease with which they can be attacked can\nnullify all other security measures in place at the organization.\n\n\n\nOIG-AR-14-02                                -1-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\nIn our analysis of the data provided by the OCIO, we found that 49% of detected hosts\nhad not been scanned for missing patches. The table below describes two distinct sets of\ndata for two different scanning weeks, one during the week of July 14th, and the other the\nweek of August 4th. The number of hosts detected is subdivided into those fully\nmeasured for missing patches, and those that were not. For those that were measured, we\nprovide an average number of High severity vulnerabilities per host.\n\n                           Table 1: Scanning Results of Hosts\n\n                                                  Week of          Week of\n                Description                                                    Average\n                                                  July 14          August 4\nHosts Detected                                        867             847          857\n Hosts not measured                                  407             431           419\n   - Hosts with no scan attempted                      5               6           5.5\n   - Hosts with scan errors                          402             425          413.5\nHosts Measured                                        460             416          438\n   - Hosts Missing High severity patches             451             406          428.5\n   - Hosts Missing no High severity patch              9              10           9.5\nVulnerabilities Due to Missing Patches               6152            2708         4430\n\nAverage High Severity Vulnerabilities Per\n                                                     13.4            6.5           9.95\nHost\n\nFor the hosts that were measured and found to be missing High severity patches, virtually\nall patches missing were more than a week old, and 21% of them were more than 1 year\nold. The average age of vulnerabilities due to missing patches is seen in the table below:\n\n                        Table 2: Average Age of Vulnerabilities\n\n     Age of Missing Patches                 Percentage of Vulnerabilities\n           Less than 7 days                                 0.3%\n               7-13 days                                    32.3%\n              14-90 days                                    28.3%\n             90-365 days                                    18.1%\n         More than 365 days                                 20.9%\n\n\n\n\nOIG-AR-14-02                               -2-\n\x0c                      U.S. International Trade Commission\n                                      Audit Report\n\n\nThe risk facing the Commission due to missing patches was not effectively reported. The\nCommission uses a formula that results in a target index score of 5, which implies that\nany number less than 5 indicates a secure network. Because the target score, or upper\nlimit, is the log of a number, the target number is actually 100,000.\n\nIn our review of the two sets of the CIO\xe2\x80\x99s scan data, we found that on average, 438 hosts\nwere scanned for missing patches. This means that an average, per-host passing score\nwould be any number less than 228 (100,000/438). Since a score of 7 or more is a High\nvulnerability, the implication is that the Commission finds it acceptable to have 33\n(228/7=33) High severity vulnerabilities per host.\n\nThe current method of reporting provides the Commission with a false sense of security\nand the stated goal would allow the risk to rise even more without the Commission\nbecoming aware of an increased risk.\n\nThe three problem areas: (1) half of detected hosts were not evaluated for missing\npatches, (2) patches for High severity vulnerabilities were not applied in a timely fashion,\nand (3) risk due to missing patches was not effectively reported, are detailed below.\n\n\n\n                                   Problem Areas\n\n                                      Problem Area 1:\n\n      The Commission Did Not Measure Half of its Hosts for Missing Patches\n\n\nAn effective vulnerability management program requires knowing the patch status of all\nhosts. This is usually done by scanning the network and checking the patch status of\neach host on the network. It is not possible to effectively manage the patching process\nwithout a comprehensive measurement of status.\n\nWe reviewed two sets of data from scans performed the week of July 14th, and August\n8th. We found that an average of 857 hosts were detected by the two sets of scans, but an\naverage of 419 (49%) were not successfully measured for missing patches.\n\nAn overall contributing factor is that the Commission has self-imposed complexity by\ncreating a single network with over 65,000 addresses, which is not a best practice. The\ndecision to configure and maintain the network in this way has a number of negative\nconsequences, one of which is that the network space is simply too large to be scanned on\na frequent basis for missing patches. This resulted in a situation where not all hosts were\nbeing measured for missing patches on a continuous basis.\n\n\nOIG-AR-14-02                                -3-\n\x0c                      U.S. International Trade Commission\n                                      Audit Report\n\n\nIn order to detect missing patches, the scans must be configured to use login credentials\nto connect to each host and gather an inventory of installed software. If the credentials\naren\xe2\x80\x99t provided, or if for some reason they fail, then the host will not be scanned for\nmissing patches. The scanning software provided several indicators of this failure to\nscan for missing patches, including:\n\n1.     (51%) The local checks failed because the account used did not have sufficient\n       privileges to read all the required registry entries.\n2.     (30%) It was not possible to connect to PIPE\\winreg on the remote host. If the\n       scanning software is going to be used to perform registry-based checks, the\n       registry checks will not work because the 'Remote Registry Access' service\n       (winreg) has been disabled on the remote host or cannot be connected to with the\n       supplied credentials.\n3.     (19%) Other. Either some other error occurred, or the use of credentials was not\n       attempted.\n\nWhen scans cannot measure for missing patches, the hosts may appear clean; as if they\nhave no vulnerabilities (are not missing patches). This leads to a false sense of security.\nThe effect is that until these issues are identified and resolved, the Commission cannot\nknow the risk to its network.\n\nRecommendation 1: That the CIO shrink the network to facilitate at least weekly patch\nscanning of all hosts.\n\nRecommendation 2: That the CIO implement alerts to identify all hosts that fail the\npatch measurement process.\n\nRecommendation 3: That the CIO establish a system-build process that guarantees\nscanner access by default.\n\n\n\n                                       Problem Area 2:\n\n             The Commission Did Not Apply Patches in a Timely Manner\n\nDue to the risk they pose to the network, patches for High severity vulnerabilities should\nbegin to be applied upon patch release. For the purpose of this audit, we rated\nperformance only for the application of released patches addressing High severity\nvulnerabilities. We did not measure vulnerabilities without a released patch, or any Low\nor Medium vulnerabilities.\n\n\n\nOIG-AR-14-02                                -4-\n\x0c                     U.S. International Trade Commission\n                                      Audit Report\n\n\nWhen a vulnerability is publicly acknowledged, each is assigned a risk rating using the\nCommon Vulnerability Scoring System (CVSS). The CVSS score is an industry standard\nthat describes the risk of a specific vulnerability. A CVSS score over 7 indicates a High\nrisk vulnerability. (Scores below 7 indicate Low to Medium-level vulnerabilities)\n\nWe found that on average, 2.2% of 438 hosts measured were clean or fully patched. The\nremaining 97.8% of hosts measured required patches to resolve High severity\nvulnerabilities.\n\nMany of the missing patches were weeks, months, or years old. Even the anticipated,\nregularly scheduled monthly Microsoft patches (indicated by the large peak in the 7-13\ndays section below) were applied when they were more than a week old.\n\n   Chart 1: Number of High Severity Vulnerabilities Classified by Days Since Patch\n                                     Release\n\n                    Number of High Severity Vulnerabilities\n                     Classified by Days Since Patch Release\n 3000\n\n\n 2500\n\n\n 2000\n\n\n 1500\n\n\n 1000\n\n\n  500\n\n\n    0\n         < 7 days   7-13 days   14-20 days    21-29 days   31-90 days   90-365 days   >365 days\n\n                                 Week of July 14    Week of Aug 4\n\n\n\n\nThis chart also shows that many patches older than 30 days are allowed to persist on the\nnetwork, in many cases, for years.\n\n\n\n\nOIG-AR-14-02                                 -5-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\nThese practices place the Commission at risk. There may be a few circumstances when a\ndecision is made not to patch. However, the number of hosts that remain unpatched\nshould be minimized, and the length of time the vulnerabilities persist should be limited.\n\nIn one example, the Commission has decided to allow many hosts to remain unpatched to\nmaintain compatibility with a financial system. All of these hosts are at risk, and\ntherefore place the rest of the network at risk. The Commission could choose to\nminimize the risk theses hosts and its network by fully patching these hosts, and use its\nexisting technology to provide a secure, seamless means of accessing the financial system\nwhile maintaining the security of its hosts. It has chosen not to do so, instead leaving\nthese hosts, and therefore the entire network, vulnerable for years.\n\nRecommendation 4: That the Commission patch all High severity application and\noperating system software vulnerabilities within 48 hours of patch release.\n\nRecommendation 5: That the CIO identify any business needs that require the use of\nunpatched software and restrict access to a secured thin-client application or other\nsolution that allows user workstations to be fully patched.\n\n\n\n\n                                      Problem Area 3:\n\n            The Risk from Missing Patches Was Not Effectively Reported\n\n\nPatch management reporting is an essential part of the process to quantify the risk for\nexecutive management in an easily digestible fashion, so they are able to make informed\ndecisions to manage that risk.\n\nThe Commission has published a performance metric, which it calls the Enterprise\nVulnerability Index. It uses a complicated formula and describes as its goal any number\nless than 5. Since only an average of 438 hosts were measured for missing patches, the\ncurrent metric implies that as long as it doesn\xe2\x80\x99t exceed 33 High severity vulnerabilities\nper host, the Commission will meet its target performance goal to ensure network\nsecurity.\n\nIn previous OIG audits, in order to convey the magnitude of the risk due to missing\npatches, we have reported on the number of High severity vulnerabilities per host.\nAnother measure sometimes used is to report on the average CVSS score per host. Other\nthan what the Commission has published, we were unable to find any instances where an\norganization used the log of a sum to describe the security of a network.\n\n\n\n\nOIG-AR-14-02                               -6-\n\x0c                     U.S. International Trade Commission\n                                     Audit Report\n\n\nThe Commission\xe2\x80\x99s metric conveys the message to executive management that the\nCommission has effectively ensured network security. This provides the Commission\nwith a false sense of security, and does not provide actionable information to business\nowners regarding the risk to the network due to missing patches.\n\nRecommendation 6: That the CIO report on the average number of High severity\nvulnerabilities per host, or average CVSS score per host, or another score that provides a\nmetric on a per host basis.\n\nRecommendation 7: That the Commission set a goal for missing patches at a number\nthat provides an acceptable level of risk to the Commission.\n\n\n\n\n              Management Comments and Our Analysis\n\nOn November 5, 2013, Chairman Irving Williamson provided management comments on\nthe draft report. He acknowledged that the Commission did not have an effective process\nfor patching and agreed to make management decisions to address the recommendations\nin the report.\n\n\n\n                    Objective, Scope and Methodology\nObjective:\n\nIs the Commission\xe2\x80\x99s process for patching ITCNet systems effective?\n\nScope:\nThis audit focused on the process for patching systems on ITCNet. To determine the\npatch-related vulnerability status, we analyzed two sets of scanning data provided by the\nCIO for the weeks of July 14 and August 8, 2013. This data included all hosts detected\nas part of the CIO vulnerability management process on the network ranges scanned,\nincluding servers, workstations, virtual hosts, and other network equipment providing\nconnectivity and security.\n\n\n\n\nOIG-AR-14-02                               -7-\n\x0c                    U.S. International Trade Commission\n                                    Audit Report\n\n\nMethodology:\n\n   1. Evaluated the risk approach used by the CIO to assess vulnerabilities.\n   2. We did not scan the network to evaluate patch status, but instead gathered\n      existing vulnerability data from CIO.\n   3. Identified hosts that were not scanned due to technical or policy issues.\n   4. Analyzed vulnerabilities to remove false positives, and classified findings to\n      identify trends and the causes of unpatched vulnerabilities.\n   5. Determined whether patching process was guided by reasonable risk based\n      decisions.\n   6. Determined whether patch status was being accurately measured.\n   7. Determined whether patch status was reported to executive management.\n   8. Determined whether patches were applied in a timely fashion.\n\n\n\n\nOIG-AR-14-02                             -8-\n\x0c               U.S. International Trade Commission\n                           Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-14-02                  -A-\n\x0c\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to quickly perform complex mathematical calculations involving roots and powers quickly. The instrument\nwas used by architects, engineers, and actuaries as a measuring device.\n\x0c\x0c"